Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

What is the best approach to learning Splunk?

0

I start a new position as a Cyber Security Engineer in the next couple of weeks and I have to learn as much about Splunk Siem as I can. I have experience with McAfee Siem and a deep background in security and a little experience with python. I see that I can download a trial version of Splunk, would this be applicable on my laptop?

I was an ArcSight consultant in a previous life and I am happy with the change :)

One of the first things I had to learn is: Splunk is not just a SIEM. And it's true. Splunk is all about making data easily searchable. Security data, financial data, sales, ... Collect, index and search. Simple.

You shouldn't have too much trouble understanding the architecture model or the collection. Which is mainly agent based too and relies on regex for data extraction.

Just another piece of advise, everything is extremely customisable. Everything. Which is good and bad. I had to refresh my knowledge of XML, JavaScript, HTML in order to get the best out of my data via advanced dashboards.

Perviously I was working on ArcSight but now we are moving on SPlunk.I wan to understand the architecture, How we can integrate different Data sources with SPlunk. and the next step how can I verify that integration.

Integrating data sources is not complicated. You configure your agents or Splunk servers to read your logs and in general you only have to worry about the parsing at the very end. There's no hard scheme you can't modify once you have ingested your data. Forget about that. Simply get your data in and once is searchable you can spend time extracting the information and creating your fields.

Verifying the integration is just a matter of writing searches and making sure your logs are still coming. There are lots of examples in the forums.

If you want my advise, get Splunk running in your laptop. Configure one or two data sources and start familiarising with the search GUI. Using the search engine is critical.

Also, check out the Splunk E-Learning : http://www.splunk.com/view/SP-CAAAHSM. There are a variety of courses and options there. Additionally, go through the Search Tutorial, install Splunk locally or get a demo Splunk Enterprise or Splunk ES (SIEM Solution) demo sandbox and experience it for yourself!